I hereby certify that this corresponu 
is being deposited with the United ! 
Postal Service as first class mail in an 
envelope addressed to: 
Commissioner for Patents 
P.O. Box 1450 / / 

Alexandria; VA- 223 13-1450 on /0/2-t/o <f" 




oaro&e^.Z-/ / Zooy- 
Date 



IN THE UNITED STATES PATENT AND TRADEMARK OFFICE 

In re Application of 
RICHARD T. EVERS 
Entitled: 



SYSTEM AND METHOD FOR SECURE 
INSTALLATION AND OPERATION OF 
SOFTWARE 

Filed: February 23, 2004 



Attorney Docket No. 0638 
Group Art Unit 2122 
Application Serial No. 10/785,579 



600 Grant Street, 44th Floor 
Pittsburgh, PA 15219 
October 21, 2004 

Commissioner for Patents 

P.O. Box 1450 

Alexandria, VA 22313-1450 

PETITION TO MAKE SPECIAL PURSUANT TO 37 CFR 1.102fd^ 

Dear Sir: 

Applicant, through the undersigned attorney, hereby petitions to make the 
above-captioned Application special pursuant to 37 CFR 1.102(d) and, in particular, pursuant 
to MPEP 708.02, VIII. 

It is believed that the Application has not yet received any examination by the 
examiner and, therefore, may be granted special status in view of the following items: 

(A) A Fee Sheet and duplicate copy thereof accompany this Petition, in order 
to pay the fee set forth in 37 CFR 1.17(h). 

(B) It is submitted that Claims 1-20 of the Application are directed to a single 

invention. 

10/26/2004 FFANAIR2 00000038 10785579 

01 FC:1460 130.00 OP 



0638 



(C) Attached hereto as Exhibit 1 is a true and correct copy of a 
Communication from the European Patent Office including the European search report for 
the corresponding European Application No. 04250954.7, filed February 23, 2004. Attached 
hereto as Exhibit 2 is a true and correct copy of Claims 1-20 of said European Application. It 
is submitted that the claims of said European Application are of the same or similar scope to 
Claims 1-20 of the present Application. 

(D) Attached hereto as Exhibit 3 are three references, which are identified in 
the European search report as Documents Dl, D2 and D3, which references are deemed most 
closely related to the subject matter encompassed by present Claims 1-20. Those references 
along with one additional reference (Document D4, category A: technological background) 
and the European search report are contemporaneously being made of record through an 
accompanying Supplemental Information Disclosure Statement. 

(E) A detailed discussion of the references is set forth below, which discussion 
points out, with the requisite particularity, how the claimed subject matter is patentable over 
the references. 

Detailed Discussion of the References 

Document Dl (as identified by the European search report) discloses Primary 
and alternate data streams (ADSs) in the New Technology File System (NTFS) of Microsoft. 
This reference also discloses (page 7) that there is "malware" that takes advantage of ADSs 
(e.g., W2k. stream). 

Document D2 (as identified by the European search report) discloses that 
W2K. Stream is a virus that only replicates on Windows 2000 systems that use an NTFS 
partition. W2K.Stream utilizes an NTFS feature that exists on both Windows NT and 
Windows 2000. The virus writers believed that this particular feature did not exist on 
Windows NT and therefore reduced the virus to be Windows 2000 specific by having the 
virus check the OS version (similar to the W2K.Installer virus). 

NTFS streams are virtually hidden from users. This is because NT commands 
or standard Windows 2000 applications do not display them. A given file on an NTFS 
partition is basically an unnamed stream of a file. Any file can have associated named 
streams. These streams can be accessed during standard file operations. Most Windows 
NT/2000 applications do not use named streams. 

W2K.Stream virus is 3628 bytes. The virus is compressed with a popular 
Portable Executable (PE) file compressor called Petite. The actual virus code inside is very 
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short. First, the virus checks the Windows version of the current system. If it is not 
Windows 2000, then the virus displays a message. 

The virus is basically a new subclass of companion viruses, a "stream 
companion" virus. When the virus infects a file it replaces the host application with itself. 
Basically the virus implements the simplest possible virus infection by overwriting the host 
program with its own code. In other words, each infected file will be 3628 bytes long. The 
trick of the virus is that it saves the original host application as a named stream of the host 
program. 

The W2K.Stream proof-of-concept virus is based upon a "W2K.Installer" 
virus. The name of that virus is a misnomer because it is uses a parasitic technique to take 
control of an executable file and insert a necessary component of itself into a "cavity" within 
the executable file. A cavity, in this instance, is a block of available space in the code 
segment of the executable file that would be large enough for the virus component to live in. 
After placement in the cavity, a change is made to the PE file header to execute the virus 
contained in the code segment. This parasitic method of placement takes advantage of a 
structural design defect of the Windows PE file structure where checksums are not employed 
to prevent execution of modified executable files. The W2K. Stream proof-of-concept virus 
uses an identical technique but went a step further by hiding itself in an Alternate Data 
Stream. 

Document D3 (as identified by the European search report) discloses an 
installer (page 33), an end user license agreement (EULA) (page 32), and an installation file, 
an installation directory and an installation script (page 37) for a VMware Workstation. 

Claim 1 recites a method for secure installation and operation of software, the 
method comprising: employing an NT File Structure logical volume; employing an installer; 
writing a Primary Data Stream file to the NT File Structure logical volume from the installer; 
associating data with the Primary Data Stream file; and writing the associated data to the NT 
File Structure logical volume as an Alternate Data Stream file from the installer. 

Claim 1 recites employing an installer, writing a Primary Data Stream file to 
an NT File Structure logical volume from such installer, and writing associated data with the 
Primary Data Stream file and to the NT File Structure logical volume as an Alternate Data 
Stream file from such installer. 

Documents Dl and D2 teach and suggest a W2K.Stream virus . When this 
virus infects a file it replaces a host application with itself . Basically, the virus implements 
the simplest possible virus infection by overwriting the host program with its own code . 
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For example, a virus is completely different from the recited installer and does 
not install or upgrade files in a traditional sense. Instead, a virus usually overwrites existing 
files or exists as a parasite within existing files. This view is confirmed by the express 
teachings of Documents Dl and D2, which state that the virus replaces a host application 
with itself . This view is also supported by Exhibit 4, which provides a definition of "virus" 
namely a "program that can 'infect 9 other programs by modifying them to include a, possibly 
evolved, copy of itself. A program that infects a computer by att[]aching itself to another 
program, and propagating itself when that program is executed." 

Furthermore, a malware virus is a "program or piece of code that is loaded 
onto your computer without your knowledge and runs against your wishes." See Exhibit 5. 
This is completely different from a method for secure installation and operation of software. 

Document D3 adds nothing to Documents Dl and D2 regarding writing a 
Primary Data Stream file or an Alternate Data Stream file to an NT File Structure logical 
volume from an installer. 

The references, whether taken alone or in combination, do not teach or suggest 
the refined recital of employing an installer, writing a Primary Data Stream file to an NT File 
Structure logical volume from such installer, and writing associated data with the Primary 
Data Stream file and to the NT File Structure logical volume as an Alternate Data Stream file 
from such installer. 

Accordingly, for the above reasons, Claim 1 patentably distinguishes over the 

references. 

Claims 2-10 depend either directly or indirectly from Claim 1 and patentably 
distinguish over the references for the same reasons. 

Furthermore, Claim 5 recites creating a Primary Data Stream directory chain; 
writing the Primary Data Stream directory chain to the NT File Structure logical volume from 
the installer; writing the Primary Data Stream file to the Primary Data Stream directory chain 
in the NT File Structure logical volume from the installer; associating the data with the 
Primary Data Stream directory chain or the Primary Data Stream file by creating and closing 
the Alternate Data Stream file; and installing the associated data to the NT File Structure 
logical volume as the Alternate Data Stream file from the installer. 

Since the references neither teach nor suggest the refined recital of Claim 1 , 
they clearly neither nor suggest these additional limitations which further patentably 
distinguish over the references. 
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Furthermore, Claim 6 recites employing an installation file comprising the 
Primary Data Stream file, the Alternate Data Stream file, installation instructions, the Primary 
Data Stream directory chain, and an End User License Agreement. 

Claim 6 depends directly from Claim 5 and indirectly from Claim 1 and 
includes all of the limitations of those claims. Since the references neither teach nor suggest 
the refined recital of Claim 5, they clearly neither nor suggest these additional limitations 
which further patentably distinguish over the references. 

Claim 7 recites displaying the installation instructions and the End User 
License Agreement from the installation file. 

Since the references neither teach nor suggest the refined recital of Claim 6, 
they clearly neither nor suggest these additional limitations which further patentably 
distinguish over the references. 

Furthermore, Claim 8 recites employing as the associated data first data; 
employing as the Alternate Data Stream file a first Alternate Data Stream file; employing 
second data; associating the second data with the Primary Data Stream file; and writing the 
associated second data to the NT File Structure logical volume as a second Alternate Data 
Stream file from the installer. 

Since the references neither teach nor suggest the refined recital of Claim 1 , 
they clearly neither nor suggest these additional limitations which further patentably 
distinguish over the references. 

Furthermore, Claim 10 recites employing an installation file; defining in the 
installation file a Primary Data Stream directory chain, the Primary Data Stream file, the 
Alternate Data Stream file, and at least one information file; displaying the at least one 
information file from the installation file; creating the Primary Data Stream directory chain in 
the NT File Structure logical volume; copying the Primary Data Stream file from the 
installation file to the Primary Data Stream directory chain in the NT File Structure logical 
volume; and copying the Alternate Data Stream file from the installation file to the Primary 
Data Stream directory chain in the NT File Structure logical volume. 

Since the references neither teach nor suggest the refined recital of Claim 1, 
they clearly neither nor suggest these additional limitations which further patentably 
distinguish over the references. 

Claim 1 1 is an independent claim which recites, inter alia, a computer system 
for secure installation and operation of software comprising: a processor; a first drive adapted 
for access by the processor; a second drive adapted for access by the processor, the second 
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drive including an NT File Structure logical volume; and an installer operatively associated 
with the first drive, the installer cooperating with the processor to write a Primary Data 
Stream file to the NT File Structure logical volume, associate data with the Primary Data 
Stream file, and write the associated data to the NT File Structure logical volume as an 
Alternate Data Stream file. 

For reasons that were discussed above in connection with Claim 1, a virus is 
completely different from the recited installer and does not install or upgrade files in a 
traditional sense. Instead, a virus usually overwrites existing files or exists as a parasite 
within existing files. This view is confirmed by the express teachings of Documents Dl and 
D2, which state that the virus replaces a host application with itself Furthermore, a malware 
virus is a "program or piece of code that is loaded onto your computer without your 
knowledge and runs against your wishes." This is completely different from a computer 
system for secure installation and operation of software. 

Document D3 adds nothing to Documents Dl and D2 regarding writing a 
Primary Data Stream file or an Alternate Data Stream file to an NT File Structure logical 
volume from an installer. 

The references, whether taken alone or in combination, do not teach or suggest 
the refined recital of a computer system for secure installation and operation of software 
comprising: an installer operatively associated with a first drive, such installer cooperating 
with a processor to write a Primary Data Stream file to an NT File Structure logical volume, 
associate data with such Primary Data Stream file, and write such associated data to such NT 
File Structure logical volume as an Alternate Data Stream file. 

Claims 12-20 depend either directly or indirectly from Claim 1 1 and 
patentably distinguish over the references for the same reasons. 

Furthermore, Claim 12 recites that the NT File Structure logical volume 
includes a directory chain or a system directory; and that the installer installs the Primary 
Data Stream file in the directory chain or the system directory of the NT File Structure logical 
volume. 

Since the references neither teach nor suggest the refined recital of Claim 1 1, 
they clearly neither nor suggest these additional limitations which further patentably 
distinguish over the references. 

Furthermore, Claim 1 6 recites that the installer cooperates with the processor 
to create a Primary Data Stream directory chain, to write the Primary Data Stream directory 
chain to the NT File Structure logical volume, to write the Primary Data Stream file to the 
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Primary Data Stream directory chain in the NT File Structure logical volume, to associate the 
data with the Primary Data Stream directory chain or the Primary Data Stream file, and to 
install the associated data to the NT File Structure logical volume as the Alternate Data 
Stream file. 

Since the references neither teach nor suggest the refined recital of Claim 1 1, 
they clearly neither nor suggest these additional limitations which further patentably 
distinguish over the references. 

Furthermore, Claim 17 recites that the installer comprises an installation file 
comprising the Primary Data Stream file, the Alternate Data Stream file, installation 
instructions, a Primary Data Stream directory chain, and an End User License Agreement. 

Claim 17 further patentably distinguishes over the references for similar 
reasons as were discussed above in connection with Claim 6. 

Furthermore, Claim 18 recites that the processor includes a display; and that 
the installer cooperates with the processor to display the installation instructions and the End 
User License Agreement on the display. 

Claim 18 further patentably distinguishes over the references for similar 
reasons as were discussed above in connection with Claim 7. 

Furthermore, Claim 20 recites that the processor includes a display; that the 
installer comprises an installation file including a Primary Data Stream directory chain, the 
Primary Data Stream file, the Alternate Data Stream file, and at least one information file; 
and that the installer cooperates with the processor to display the at least one information file 
from the installation file to the display, to create the Primary Data Stream directory chain in 
the NT File Structure logical volume, to copy the Primary Data Stream file from the 
installation file to the Primary Data Stream directory chain in the NT File Structure logical 
volume, and to copy the Alternate Data Stream file from the installation file to the Primary 
Data Stream directory chain in the NT File Structure logical volume. 

Claim 20 further patentably distinguishes over the references for similar 
reasons as were discussed above in connection with Claim 10. 
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In view of the above, it is hereby requested that the above-captioned 
Application be made special pursuant to 37 CFR 1 .102(d) and, in particular, pursuant to 
MPEP 708.02, VIII. 



Respectfully submitted, 




Registration No. 37,357 

(4 1 2) 566-6083 Attorney for Applicant 



-8- 



PTO/SB/17(10-04v2) 
Approved for use through 07/31/2006. OMB 0651-0032 
U.S. Patent and Trademark Office; U.S. DEPARTMENT OF COMMERCE 
Under the Paperwork Reduction Act of 1995. no persons are required to respond to a collection of information unless It displays a valid OMB control number. 



FEE TRANSMITTAL 
fiw FY 2005 

Effective 1010112004. Patent fees are subject to annual revision. 



I I Applicant claims small entity status. See 37 CFR 1 .27 



TOTAL AMOUNT OF PAYMENT 



Complete if Known 



Application Number 



Filing Date 



First Named Inventor 



Examiner Name 



($) 130.00 



Art Unit 



Attorney Docket No. 



10/785,579 



February 23, 2004 



RICHARD T. EVERS 



Not Known 



2122 



0638 



METHOD OF PAYMENT (check all that apply) 



FEE CALCULATION (continued) 



["I Check (✓] Credit card □ Money Q other | |None 
[✓J Deposit Account 



3. ADDITIONAL FEES 



Large Entity 



Deposit 
Account 
Number 
Deposit 
Account 



02-2556 



Eckert Seamans 



The Director is authorized to: (check all that apply) 

W\ Charge fee(s) indicated below [✓! Credit any overpayments 
j — I to credit card to deposit account 

[✓J Charge any additional fee(s) or any underpayment of fee(s) 

to deposit account 
j ] Charge fee(s) indicated below, except for the filing fee 

to the above-identified deposit account. 



FEE CALCULATION 



1. BASIC FILING FEE 
Large Entity Small Entity 
Fee Fee iFee 
Code ($) 

1001 790 

1002 350 

1003 550 

1004 790 

1005 160 



Code 

2001 395 

2002 175 

2003 275 

2004 395 

2005 80 



. Fee Poscrlptlon 

Utility filing fee 
Design filing fee 
Plant filing fee 
Reissue filing fee 
Provisional filing fee 

SUBTOTAL (1) |($) 



Fee Paid 



2. EXTRA CLAIM FEES FOR UTILITY AND REISSUE 

Fee from 

. , Extra Claims hejftw Fee Paid 

Total Claims I I -20** = I I X I 4 I 

independent r— | _ 3 „ = | | x C 

Multiple Dependent f~~ 



Fee Fee 
Code ($) 

1051 130 

1052 50 

1053 130 
1812 2,520 

1804 920* 

1805 1,840* 

1251 110 

1252 430 

1253 980 

1254 1,530 

1255 2,080 

1401 340 

1402 340 

1403 300 

1451 1,510 

1452 110 

1453 1,370 

1501 1,370 

1502 490 



DC 



Large Entity 



Fee Fee 
Code ($) 

1202 18 
1201 88 

1203 300 

1204 88 

1205 18 



Small Entity 
Fee Fee 
Code ($) 

2202 9 
2201 44 

2203 150 

2204 44 

2205 9 



Fee Description 

Claims in excess of 20 

Independent claims in excess of 3 

Multiple dependent claim, if not paid 

•* Reissue independent claims 
over original patent 

** Reissue claims in excess of 20 
and over original patent 



SUBTOTAL (2) 



SSL 



**or number previously paid, if greater; For Reissues, see above 



1503 
1460 
1807 
1806 
8021 
1809 



660 
130 

50 
180 

40 
790 



1810 790 



1801 
1802 



790 
900 



Small Entity 



Fee Description 



Fee Fee 
Code ($) 

2051 65 Surcharge - late filing fee or oath 

2052 25 Surcharge - late provisional filing fee or 

cover sheet 
1053 130 Non-English specification 
1812 2,520 For filing a request for ex parte reexamination 

1804 920* Requesting publication of SIR prior to 

Examiner action 

1805 1,840* Requesting publication of SIR after 

Examiner action 

2251 55 Extension for reply within first month 

2252 215 Extension for reply within second month 

2253 490 Extension for reply within third month 

2254 765 Extension for reply within fourth month 

2255 1 ,040 Extension for reply within fifth month 

2401 170 Notice of Appeal 

2402 170 Filing a brief in support of an appeal 

2403 150 Request for oral hearing 

1 451 1 .51 0 Petition to institute a public use proceeding 
2452 55 Petition to revive - unavoidable 
685 Petition to revive - unintentional 
685 Utility issue fee (or reissue) 
245 Design issue fee 
330 Plant issue fee 
130 Petitions to the Commissioner 
50 Processing fee under 37 CFR 1.17(q) 
180 Submission of Information Disclosure Stmt 



,Fftfi Paid 



2453 
2501 
2502 
2503 
1460 
1807 
1806 
8021 
2809 

2810 

2801 
1802 



40 Recording each patent assignment per 

property (times number of properties) 
395 Filing a submission after final rejection 
(37 CFR 1.129(a)) 

395 For each additional invention to be 
examined (37 CFR 1.129(b)) 

395 Request for Continued Examination (RCE) 

900 Request for expedited examination 
of a design application 



Other fee (specify) 

'Reduced by Basic Filing Fee Paid 



SUBTOTAL (3) 



130.00 



($) 130.00 



SUBMITTED BY 



Name (Print/Type) 



Kirk£>. Houser 




L Registration No. 
(Attomw/Amntt 



37,357 



(Complete (if applicable)) 



Telephone 412.566.6083 



04 J 



Signature 



Date 



October 21, 2004 



WARNING: Information on this form may become public. Credit card information should not 
be included on this form. Provide credit card information and authorization on PTO-2038. 

This collection of information is required by 37 CFR 1.17 and 1.27. The information is required to obtain or retain a benefit by the public which is to file (and by the 
USPTO to process) an application. Confidentiality is governed by 35 U.S.C. 122 and 37 CFR 1.14. This collection is estimated to take 12 minutes to complete, 
including gathering, preparing, and submitting the completed application form to the USPTO. Time will vary depending upon the individual case. Any comments on 
the amount of time you require to complete this form and/or suggestions for reducing this burden, should be sent to the Chief Information Officer, U.S. Patent and 
Trademark Office, U.S. Department of Commerce, P.O. Box 1450. Alexandria, VA 22313-1450. DO NOT SEND FEES OR COMPLETED FORMS TO THIS ADDRESS. 
SEND TO: Commissioner for Patents, P.O. Box 1450, Alexandria, VA 22313-1450. 



If you need assistance in completing the form, call 1-800-PTO-9199 and select option 2. 




P.B.5818 - Patentlaan 2 
2280 HV Rijswijk (ZH) 
^ +3-1 70 340 2040 
TX 31651 epo nl 
.FAX +31 70 340 3016 



Europaisches 
Patentamt 



Zweigstelle 
in Den Haag 
Recherchen- 



European 
Patent Office^ 

Branch at 
The Hague 
Search 

division 



EXHIBIT 

1 

^ae^Srevets 

Departement a 
La Haye 
Division de la 
recherche. 



Hibbert, Juliet Jane Grace 
Kilburn & Strode, 
20 Red Lion Street 
London WC1R 4PJ 
GRANDE BRETAGNE 




Datum/Date 

30.07.04 



Zeichen/Ref./Ftef. 

P36680EP/JJH 



AnmekJung Nr. /Application Nc/Demande n°./Patent Nr ./Paten! NoVBrevet n°. 

04250954.7-2211- 



An melder/ App licant/Deman deu r/Pat e nt i nha ber/P roprietor/T itutaire 

Research In Motion Limited 



COMMUNICATION 

The European Patent Office herewith transmits as an enclosure the European search report for the 
atx>ve-mentioned European patent application. 

If applicable, copies of the documents cited in the European search report are attached. 

DD Additional set(s) of copies of the documents cited in the European search report is (are) enclosed 
as well. 

The following specifications given by the applicant have been approved by the Search Division: 
[XJ abstract [X] title 

□ The abstract was modified by the Search Division and the definitive text is attached to this 
communication. 

The following figure will be published together with the abstract: 1 



Docketing 

NOTED jcjjj 



REFUND OF THE SEARCH FEE 

If applicable under Article 10 Rules relating to fees, a separate communication 
from the Receiving Section on the refund of the search fee will be sent later. 




° J na 90^0 



CDO C^rm -4 CA-7 n /M C\C\ 



European Patent 
Office 



EUROPEAN SEARCH REPORT 



Application Number 

EP 04 25 0954 



DOCUMENTS CONSIDERED TO BE RELEVANT 



Category 



Citation of document with indication, where appropriate, 
of relevant passages 



Relevant 
to claim 



CLASSIFICATION OF THE 
APPLICATION (lntCI.7) 



HAL BERGHEL, NAT ASA BRAJKOVSKA: "Phishing 
in Alternate Data Streams" 
ASSOCIATION FOR COMPUTING MACHINERY, 
'Online! 6 January 2004 (2004-01-06), 
XP002283088 

Retrieved from the Internet: 
URL : http ://www . acm . org/hl b/col -edi t/di gi ta 
l_vi 1 1 age/apr-04/dv_4-04 . html > 
'retrieved on 2004-06-02! 



* page 1, section "Alternate Data 
Streams", paragraph 1 * 

* page 7, section "Security Implications 
of ADSs", paragraph 1 * 

* section "Origins", paragraph 1 * 

* page 3 * 

* section "URL Pearls:", paragraph 

* page 2, line 16 - page 3, line 9 

* figure 1 * 



1,3-5,8, 
9,11,12, 
14-16,19 



G06F9/445 



2,6,7, 
10,13, 
17,18,20 



3 * 
* 



TECHNICAL FIELDS 
SEARCHED (lnt.CI.7) 



PETER SZOR: "W2K. Stream" 
SYMANTEC SECURITY RESPONSE HOMEPAGE, 
'Online! 25 June 2003 (2003-06-25), 
XP002283089 

Retrieved from the Internet: 

URL : http ://web . archi ve . org/web/20030625134 

400/http ://www. sarc . com/avcenter/venc/data 

/pf/w2k . stream. html > 

'retrieved on 2004-06-02! 

* section "technical details", paragraph 3 

- paragraph 8 * 



1,3-5,8, 
9,11,12, 
14-16,19 



G06F 



-/— 



The present search report has been drawn up for all claims 



Place of search 



Munich 



Date of completion of the search 

12 July 2004 



Examiner 

Milasinovic, G 



CATEGORY OF CITED DOCUMENTS 

X : particularly relevant if taken alone 

Y ■ particularly relevant if combined with another 

document of the same category 
A : technological background 
O : non-written disclosure 
P : intermediate document 



T : theory or principle underlying the invention 
E : earlier patent document, but published on, or 

after the filing date 
D : document cited in the application 
L : document cited for other reasons 

& : member of the same patent family, corresponding 
document 



page 1 of 2 



European Patent 
Office 



EUROPEAN SEARCH REPORT 



Application Number 

EP 04 25 0954 



DOCUMENTS CONSIDERED TO BE RELEVANT 



Category 



Citation of document with indication, where appropriate, 
of relevant passages 



Relevant 
to claim 



CLASSIFICATION OF THE 
APPLICATION (lnLCI.7) 



"VMware Workstation User's Manual Version 
3.2" 

VMWARE HOMEPAGE, 'Online! 

16 December 2002 (2002-12-16), XP002283090 

Retrieved from the Internet: 

URL : http : //www. vmware . com/pdf /ws32_manual . 

pdf> 'retrieved on 2004-06-03! 

* page 27 * 

* page 33, top figure * 

* page 32, bottom figure * 

* page 37 * 



2,6,7, 
10,13, 
17,18,20 



"File Forks" 
APPLE DEVELOPER CONNECTION, 'Online! 
2 July 1996 (1996-07-02), XP002283091 
Retrieved from the Internet: 
URL : devel oper . appl e . com/document at i on/mac/ 
Files/Files-14.html> 
'retrieved on 2004-06-02! 
* paragraph '0002! * 



I, 3,4, 

II, 14,15 



TECHNICAL FIELDS 
SEARCHED (lnt.CI.7) 



The present search report has been drawn up for all claims 



Race ot search 

Munich 



Date ot completion ot the search 

12 July 2004 



Examiner 

Milasinovic, G 



CATEGORY OF CITED DOCUMENTS 

X : particularly relevant if taken alone 
Y : particularly relevant if combined with another 
, document of the same category 
A : technological background 
O : non-written disclosure • * 

P : intermediate document 



T : theory or principle underlying the invention 
E : earlier patent document, but published oh, or 

after the filing date * 
D : document cited in the application ' 1 ': 
L : document cited for other reasons 

& : member of the same patent family, corresponding 
document 



paqe 2 of 2 




Erweiterter Europaischer Recherchenbericht 
Extended European Search Report 
Rapport de Recherche Europeenne Elargi 



Anmelde-Nr.: 

Application No.: Q 4 250 954.7 



Demande no: 



This application is covered by the extended European search report pilot project at present 
running within the European Patent Office, applied to all European patent applications filed as 
first filing and searched on or after 01 .07.03. Under this project the EPO issues together with 
the search report an opinion on whether the application and the invention to which it relates 
meet the requirements of the EPC. This non-binding opinion is issued free of charge as a 
service. This opinion may be used as the basis for an informed decision as to whether it is 
desired to pursue the application further or not. 



For further details of this pilot project, the applicants attention is directed to the Official 
Journal edition 5/2003. If any further immediate questions or comments arise the EPO 
Customer Services: +31-70-340 4500 or +49-89-2399 2828 can be contacted. 



The attached opinion reveals that the application or the invention to which it relates 
appear not to meet the requirements of the Convention (see comments on enclosed 
Form 2906). 

If the applicant wishes to continue with this application the examination fee must be paid. 
Where appropriate amendments can be filed to address the objections raised in the opinion, 
thus shortening the overall procedure. If no amendments are filed, the opinion will be re- 
issued as the first official communication under Article 96(2) and Rule 51(2) EPC. 

If the examination fee has already been paid and the right to the communication under Article 
96(1) EPC has been waived for this application, the first official communication under Article 
96(2) and Rule 51 (2) EPC will be issued promptly. 
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The examination is being carried out on the following application documents: 

Text for the Contracting States : 

AT BE BG CH CY CZ DE DK EE ES Fl FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR LI 

Description, pages: 

1-15 as originally filed 



Claims, No.: 

1 -20 as originally filed 



Drawings, sheets: 

1/4-4/4 as originally filed 



1 Documents 

1 .1 The following documents are referred to in this communication; the numbering will 
be adhered to in the rest of the procedure: 

D1 : HAL BERGHEL, NATASA BRAJKOVSKA: 'Phishing in Alternate Data 
Streams' ASSOCIATION FOR COMPUTING MACHINERY, [Online] 6 
January 2004 (2004-01-06), XP002283088 Retrieved from the Internet: 
<URL:http://www.acm.org/hlb/col-edit/digital_village/apr-04/dv_4-04.html> 
[retrieved on 2004-06-02] 

D2: PETER SZOR: 'W2K.StrearrV SYMANTEC SECURITY RESPONSE 

HOMEPAGE, [Online] 25 June 2003 (2003-06-25), XP002283089 Retrieved 
from the Internet: <URL:http://web.archive.org/web/2003062513 
4400/http://www.sarc.com/avcenter/venc/data/pf/w2k.stream.html> [retrieved 
on 2004-06-02] 

D3: 'VMware Workstation User's Manual Version 3.2' VMWARE HOMEPAGE, 
[Online] 16 December 2002 (2002-12-16), XP002283090 Retrieved from the 
Internet: <URL:http://www.vmware.com/pdf/ws32_manual.pdf> [retrieved on 
2004-06-03] 

1 .2 Documents D1-D3 belong to the field of software installation and therefore a 
skilled person would combine them as part of a normal design procedure. 
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Summary 

The application does not meet the requirements of Article 84 EPC, because 
claims 1-20 are not clear. 

The present application does not meet the requirements of Article 52(1) EPC, 
because the subject-matter of claims 1 , 3-5, 8, 9, 1 1 , 1 2, 1 4-1 6 and 1 9 is not new 
in the sense of Article 54(1) and (2) EPC. 

Furthermore, the subject-matter of claims 2, 6, 7, 10, 13 and 16-20 is not 
inventive (Article 56 EPC). 

Clarity 

The term "NT File Structure" \s unclear with regard to Article 84 EPC, since the 
abbreviation "NT" might change in the course of time or might be changed in the 
future. Therefore, the file system should be rather defined by its features rather 
then its product name. The term should be changed to "NTFS, a file system 
having a master file table which allows associating multiple, permanently hidden 
secondary data streams, Alternate Data Streams, to the actual data stream, 
Primary Data Stream, " (see description, page 1 , line 1 1 -23). 
After this definition, the name of the file system "NTFS" might be used in the 
following dependent claims. 

The terms "installation", "installer" and "install" are vague with regard to Article 84 
EPC. For the rest of this document it will be interpreted as "copying one or more 
files to a target location on a storage medium". 

Novelty of claim 1 

Documents D1 and D2 are regarded as closest prior art and are considered as 
one single document since D1 directly references and mentions D2 as source for 
a more detailed analysis on the installer features which are part of the subject- 
matter of the present claim. 

D1 and D2 disclose in the original wording of claim 1 (reference to the closest 
prior art is made in parentheses; the original wording of the claim is set in italic 
font): 

A method for secure installation and operation of software, said method 
comprising: 

employing an NT File Structure logical volume (page 1 , section "Alternate Data 
Streams", paragraph 1, line 2, "...In NTFS..."); 

employing an installer (page 7, section "Security Implications of ADSs", 
paragraph 1, line 3-7, "...malware that takes advantage of ADSs (e.g. 
W2k.stream)...", the W2k.stream virus can be regarded as an installer since it 
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copies itself to the computers harddisk thereby infecting it; for a detailed 
description; D1 provides a link to a anti-virus site at page 7, section "Security 
Implications of ADSs", paragraph 1, line 6-7, "...As a datapoint, all W2k.stream 
threat vectors were assessed "low" by Symantec (www.sarc.com/..."; the linked 
document is D2; furthermore, in section "Origins", line 4-9, D1 discloses that 
Alternate Data Streams were introduced for compatibility with Macintosh files and 
applications which use them as storage for their resources); 

4.5 writing a Primary Data Stream file to said NT File Structure logical volume from 
said installer (D2, page 2, section "technical details", paragraph 4, line 3, 
"...overwriting the host program with its own code..."; the virus creates a new 
Primary Data Stream file with this operation); 

4.6 associating data with said Primary Data Stream file (D2, page 2, section 
"technical details", paragraph 4, line 4-5, "...saves the original host application 
as a named stream of the host program...", and thereby associating it with the 
virus since from that moment on it will execute it whenever it get executed itself, 
see D2, page 2, section "technical details", paragraph 5, line 3, "...the virus 
can execute the host program..."); and 

4.7 writing said associated data to said NT File Structure logical volume as an 
Alternate Data Stream file from said installer (D2, page 2, section "technical 
details", paragraph 4, line 4-5, "...the virus... saves the original host application 
as a named stream of the host program..."). 

4.8 Therefore, the subject-matter of claim 1 is not new and thus this claim is not 
allowable with regard to Articles 52(1) and 54 EPC. Should the applicant be able 
to identify minor differences or amend the claim by such differences which 
overcome the above novelty objection, then still the claim can not be considered 
to be allowable for lack of inventive step as required by Articles 52(1 ) and 56 EPC 
since Alternate Data Streams have been designed in order to install Macintosh 
applications on Microsoft operating systems having a Microsoft NTFS file system 
(D1, section "Origins") thereby implying that installers not only copied the 
application file(s) but also copied and associated the Alternate Data Streams in 
order to provide compatibility to the Apple HFS+ file systems. 

5 Novelty of independent system claim 11 

5.1 Since independent claim 1 1 only contains features that correspond to those of 
claim 1, the objections concerning novelty of claim 1 apply accordingly. 

6 Novelty of the dependent claims 

6.1 Dependent claims 3-5, 8, 9, 12, 14-16, 19 do not appear to contain any ad- 
ditional features which, in combination with the features of any claim to which they 
refer, meet the requirements of the EPC with respect to novelty (Article 54(1 ) and 
; (2) EPC), the reasons being as follows (reference to the closest prior art is made 
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in parentheses; the original wording of the claim is set in italic font): 
Claim 3 and 14: D1 discloses writing (page 3, line 8-9, "C:\...\test>echo "this is 
...with filel .txt">file1 .txtrsecond_ads.txt"), reading (page 3, line 18, 
M C:\..Atest>more < filel .txt:second_ads.txt"; shows the reading of an Alternate 
Data Stream); or manipulating (section "URL Pearls:", paragraph 3, line 1, 
"... The.. .utility that is ideal for ADS manipulation is <cp.exe>...") said Alternate 
Data Stream. 

Claim 4 and 15: employing as said Primary Data Stream file an executable file 
(D2, page 2, section "technical details", paragraph 4, line 3, "...overwriting the 
host program with its own code..."). 

Claim 5: creating a Primary Data Stream directory chain; writing said Primary 
Data Stream directory chain to said NT File Structure logical volume from said 
installer (D1, page 2, line 20, "mkdir test"; shows how a simple directory chain is 
created consisting of one directory; creating more complex directory structures 
belongs to fundamental knowledge in the area of computing); writing said Primary 
Data Stream file to said Primary Data Stream directory chain in said NT File 
Structure logical volume from said installer (implicit in D1 ; furthermore, it is 
disclosed in the description of the W2k.stream virus in D2, page 2, section 
"technical details", paragraph 4, line 3, "...overwriting the host program with its 
own code..."); associating said data with said Primary Data Stream directory chain 
or said Primary Data Stream file by creating and closing said Alternate Data 
Stream file (D1, page 2, line 22-25, "C:\...\test>echo "this is an. ..subdirectory" > 
:ads.txt", attaches an Alternate Data Stream to a directory and page 3, line 8-9, 
"C:\...\test>echo "this is ...with filel .txt">file1.txt:second_ads.txt M ; attaches an 
Alternate Data Stream to a file). 

Claim 8: D1 discloses two Alternate Data Streams being associated with an 
Primary Data Stream (page 2, line 34 - page 3, line 9). 

Claim 9: displaying said associated data from said Alternate Data Stream file in 
said NT File Structure logical volume (page 3, line 18, "C:\...\test>more < 
filel .txtsecond__ads.txt"; displays the Alternate Data Stream in the command 
prompt). 

Claim 12: D2 discloses said NT File Structure logical volume includes a directory 
chain or a system directory; and wherein said installer installs said Primary Data 
Stream file in said directory chain or said system directory of said NT File 
Structure (page 3, line 8-9, "C:\...\test>echo "this is.. .with 

filel .txt">file1 .txtisecond_ads.txt"; "filel .txt" is located in folder "test"; furthermore 
it is obvious that a file needs to be located in a directory). 
Claim 16: D1 discloses how to create a Primary Data Stream directory chain to 
said NT File Structure logical volume (page 2, line 20, "mkdir test"), to write said 
Primary Data Stream file to said Primary Data Stream directory chain in said NT 
File Structure logical volume (implicit, it is common knowledge how to create files 
in a file system)- to associate said data with said Primary Data Stream directory 



EPO Form 2906 01.91CSX 




Bescheid/Protokoll (Anlage) 



Communication/Minutes (Annex) 



Blatt 

Sheet 

Feuille 



Not if icalion/Proces- verbal (Annexe) 




Mr.: 

inc.: 04 250 954 .7 

n°: 



6.9 



7 

7.1 
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chain (page 2, line 24-25, "...echo "this is. ...subdirectory" > :ads0.txt", this 
command attaches the text in quotes to the "test" directory) or said Primary Data 
Stream file (page 2, line 35-36, "...echo "this...fiie.txt" > filet. txtfirst_ads.txt.. ."), 
and to install said associated data to said NT File Structure logical volume as said 
Alternate Data Stream file (implicit through page 2, line 35-36). 
Claim 19: the display of the contents of Alternate Data Streams is disclosed in D1 
(figure 1). 



Inventiveness of the dependent claims 

With regard to documents D1 and D3, the subject-matter of dependent claims 2, 
6, 7, 10, 13, 17, 18, 20 and the claims to which they refer, is not inventive (Article 
56 EPC). Document D3 describes the more fundamental aspects of an installation 
procedure, D1 refers to specific details on the use of Alternate Data Streams for 
the installation procedure. 

The detailed reasoning for the individual claims being as follows (reference to the 
closest prior art is made in parentheses; the original wording of the claim is set in 

italic font): 

Claims 2 and 13: D3 discloses an installation log (page 27, line 8, "...installation 
log..."), an application configuration file (page 27, line 1, "...the configuration 
file..."), an error log (page 27, line 2-4, "... the.. .vmware.log.. .of the virtual machine 
that had problems..."; implicitly states that this is the applications log file which 
logs errors), help information (page 37, line 35-36, "...manual files, documentation 
files..."). Database information files are just another embodiment a skilled person 
would use in the case of a database related application. 
Claims 6 and 17: D3 discloses employing an installation file (page 37, line 11, 
"...specifying the installation file...") comprising said Primary Data Stream file 
(page 37, line 35-36, "...binary files..."), said Alternate Data Stream file (disclosed 
in D1), installation instructions (page 33, top figure, discloses a window of the 
install wizard, displaying instructions on the top part of the window; furthermore it 
is common practise to display installation instructions before or during the 
installation procedure), said Primary Data Stream directory chain (page 37, line 
35-36, "...Accept the default directories for binary files, library files, manual files, 
documentation files and init script..."), and an End User License Agreement (page 
32, bottom figure). 

The use of Alternate Data Streams for storage of application related data is 
already known from D1 . 

Claims 7 and 18: displaying said installation instructions (D3, page 33, top 
figure, discloses a window of the install wizard, displaying instructions on the top 
part of the window; furthermore it is common practise to display installation 
instructions before or during the installation procedure) and End User License 
Agreement (D3, page 32j bottom figure) from said installation file. v. 
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7.5 Claim 10 and 20: D3 discloses employing an installation file (page 37, line 11, 
"...installation file..."); defining in said installation file a Primary Data Stream 
directory chain, said Primary Data Stream file (page 37, line 35-36, "...binary 
files..."), said Alternate Data Stream file (disclosed in D1), and at least one 
information file (page 32, bottom figure); displaying said at least one information 
file from said installation file (page 32, bottom figure); creating said Primary Data 
Stream directory chain in said NT File Structure logical volume; copying said 
Primary Data Stream file from said installation file to said Primary Data Stream 
directory chain in said NT File Structure logical volume (the creation of a directory 
chain and the copying of files is implicitly disclosed at page 37, line 36-37, 
"...Accept the default directories for binary files, library files, manual files..."); and 
copying said Alternate Data Stream file from said installation file to said Primary 
Data Stream directory chain in said NT File Structure logical volume (disclosed in 
D1). 

8 Conclusion 

8.1 It is not at present apparent which part of the application could serve as a basis 
for a new, allowable claim. Should the applicant nevertheless regard some 
particular matter as patentable, an independent claim should be filed taking 
account of Rule 29(1 ) EPC. 

8.2 In case the applicant files a new set of claims, the applicant is requested to point 
out and discuss in his letter of reply any difference that would distinguish the 
subject-matter of the present application from what is disclosed in the available 
prior art. In particular, the applicant is requested to identify the technical problem 
that exists in the closest prior art, namely D1 and D2, describe how the applicant's 
invention solves this problem, and provide some argument for why this solution 
would not be obvious to a person skilled in the art. 

8.3 When filing amended claims the applicant should at the same time bring the 
description into conformity with the amended claims. Care should be taken during 
revision, especially of the introductory portion and any statements of problem or 
advantage, not to add subject-matter which extends beyond the content of the 
application as originally filed (Article 123(2) EPC). 

8.4 In order to facilitate the examination of the conformity of the amended application 
with the requirements of Article 123(2) EPC, the applicant is requested to clearly 
identify the amendments carried out, irrespective of whether they concern 
amendments by addition, replacement or deletion, and to indicate the passages of 
the application as filed on which these amendments are based. 

8.5 Reference signs in parentheses should be inserted in the claims to increase their 
intelligibility, Rule 29(7) EPC. This applies to both the preamble and characterising 
portion (see the Guidelines, C-lll, 4.11). 

8.6 The applicant is requested to effect the amendments by filing replacement pages 
uv: : . ^ vfor only those pages which have been/ amended. Unnecessary recasting of the 
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description should be avoided. An amended abstract is not required. 

8.7 The applicant should also take account of the requirements of Rule 36(1 ) EPC. If 
handwritten amendments are submitted, they should be clearly legible for the 
printer. In particular, fair copies of the amended pages should be filed in triplicate. 
Replacement pages containing handwritten amendments should also be filed in 
triplicate. 

8.8 Moreover, it is considered as appropriate in the present case to draft the new 
independent claim in the two-part form as required by Rule 29(1) EPC, whereby 
the features known in combination from documents D1 and D2 should be placed 
in the preamble. If the applicant is of the opinion that a two-part form of the claim 
would be inappropriate he is invited to provide reasons in his reply. In addition, the 
applicant should ensure that it is clear from the description which features of the 
subject-matter of the new independent claim are known from documents D1 and 
D2; see Guidelines C-lll,2.3b. 

8.9 To meet the requirements of Rule 27(1 )(b) EPC, the documents D1 and D2 
should be identified in the description and the relevant background art disclosed 
therein should be briefly discussed. 
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What is Claimed is : 

1. A method for secure installation and operation of software, said 
method comprising: 

employing an NT File Structure logical volume; 
employing an installer; 

writing a Primary Data Stream file to said NT File Structure 

logical volume from said installer; 

associating data with said Primary Data Stream file; and 
writing said associated data to said NT File Structure logical 

volume as an Alternate Data Stream file from said installer. 

2. The method of Claim 1 further comprising 

selecting said data from the group comprising an installation 
log, an application configuration file, an error log, help information, and database 
information. 

3. The method of Claim 1 further comprising 

writing, reading or manipulating said Alternate Data Stream 
file from an application program after said writing said associated data. 

4. The method of Claim 1 further comprising 

employing as said Primary Data Stream file an executable file. 

5. The method of Claim 1 further comprising 
creating a Primary Data Stream directory chain; 

writing said Primary Data Stream directory chain to said NT 
File Structure logical volume from said installer; 

writing said Primary Data Stream file to said Primary Data 
Stream directory chain in said NT File Structure logical volume from said installer; 

associating said data with said Primary Data Stream directory 
chain or said Primary Data Stream file by creating and closing said' Alternate Data 
Stream file; and 

installing said associated data to said NT File Structure logical 
volume as said Alternate Data Stream file from said installer. 



- 17- 



6. The method of Claim 5 further comprising 

employing an installation file comprising said Primary Data 
Stream file, said Alternate Data Stream file, installation instructions, said Primary 
Data Stream directory chain, and an End User License Agreement. 

7. The method of Claim 6 further comprising 

displaying said installation instructions and said End User 
License Agreement from said installation file. 

8. The method of Claim 1 further comprising 
employing as said associated data first data; 

employing as said Alternate Data Stream file a first Alternate 

Data Stream file; 

employing second data; 

associating said second data with said Primary Data Stream 

file; and 

writing said associated second data to said NT File Structure 
logical volume as a second Alternate Data Stream file from said installer. 

9. The method of Claim 1 further comprising 

displaying said associated data from said Alternate Data Stream 
file in said NT File Structure logical volume. 

10. The method of Claim 1 further comprising 
employing an installation file; 

defining in said installation file a Primary Data Stream 
directory chain, said Primary Data Stream file, said Alternate Data Stream file, and at 
least one information file; 

displaying said at least one information file from said 

installation file; 

creating said Primary Data Stream directory chain in said NT 
File Structure logical volume; 

copying said Primary Data Stream file from said installation 
file to said Primary Data Stream directory chain in said NT File Structure logical 
volume; and 
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copying said Alternate Data Stream file from said installation 
file to said Primary Data Stream directory chain in said NT File Structure logical 
volume. 

11. A computer system for secure installation and operation of 
software, said computer system comprising: 

a processor; 

a first drive adapted for access by said processor; 

a second drive adapted for access by said processor, said 
second drive including an NT File Structure logical volume; and 

an installer operatively associated with said first drive, said 
installer cooperating with said processor to write a Primary Data Stream file to said 
NT File Structure logical volume, associate data with said Primary Data Stream file, 
and write said associated data to said NT File Structure logical volume as an Alternate 
Data Stream file. 

1 2. The computer system of Claim 1 1 wherein said NT File 
Structure logical volume includes a directory chain or a system directory; and wherein 
said installer installs said Primary Data Stream file in said directory chain or said 
system directory of said NT File Structure logical volume. 

13. The computer system of Claim 1 1 wherein said data is selected 
from the group comprising an installation log, an application configuration file, an 
error log, help information, and database information. 

14. The computer system of Claim 1 1 wherein said NT File 
Structure logical volume includes an application program, which cooperates with said 
processor to write, read or manipulate said Alternate Data Stream file. 

15. The computer system of Claim 1 1 wherein said Primary Data 
Stream file is an executable file, which is adapted for execution by said processor. 

16. The computer system of Claim 1 1 wherein said installer 
cooperates with said processor to create a Primary Data Stream directory chain, to 
write said Primary Data Stream directory chain to said NT File Structure logical 
volume, to write said Primary Data Stream file to said Primary Data Stream directory 
chain in said NT File Structure logical volume, to associate said data with said 
Primary Data Stream directory chain or said Primary Data Stream file, and to install 
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said associated data to said NT File Structure logical volume as said Alternate Data 
Stream file. 

1 7. The computer system of Claim 1 1 wherein said installer 
comprises an installation file comprising said Primary Data Stream file, said Alternate 
Data Stream file, installation instructions, a Primary Data Stream directory chain, and 
an End User License Agreement. 

18. The computer system of Claim 17 wherein said processor 
includes a display; and wherein said installer cooperates with said processor to display 
said installation instructions and said End User License Agreement on said display. 

19. The computer system of Claim 1 1 wherein said processor 
includes a display; wherein said NT File Structure logical volume includes a display 
utility; and wherein said display utility cooperates with said processor to display said 
associated data from said Alternate Data Stream file in said NT File Structure logical 
volume on said display. 

20. The computer system of Claim 1 1 wherein said processor 
includes a display; wherein said installer comprises an installation file including a 
Primary Data Stream directory chain, said Primary Data Stream file, said Alternate 
Data Stream file, and at least one information file; and wherein said installer 
cooperates with said processor to display said at least one information file from said 
installation file to said display, to create said Primary Data Stream directory chain in 
said NT File Structure logical volume, to copy said Primary Data Stream file from 
said installation file to said Primary Data Stream directory chain in said NT File 
Structure logical volume, and to copy said Alternate Data Stream file from said 
installation file to said Primary Data Stream directory chain in said NT File Structure 
logical volume. 
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Term: 


Definition: 


benign virus 


A virus that does not destroy programs or data, but 
displays a message, perhaps a humorous one, on the 
computer screen at certain times; intended as a 

harmless Drank 


boot virus 


A virus that infects a computer when the computer is 
booted from an infected disk. A boot virus may make it 
impossible to start the computer. 


stealth virus 


A virus that has ways of hiding itself so it is hard to 
detect. 


virus 


A program that can "infect" other programs by 
modifying them to include a, possibly evolved, copy of 
itself. A program that infects a computer by atttaching 
itself to another program, and propagating itself when 
that program is executed. A computer can become 
infected by files downloaded over a network, or by the 
installation of new software or floppy disks that are 
infected with viruses. Some viruses are only pranks, 
and perform harmless actions like displaying a screen 
with a joke message on it. Others can destroy files or 
wipe out a hard drive. To avoid damage from viruses, 
write-protect the boot disk and other important disks, 
rheek new software or disks for viruses and have virus 
protection software installed on the computer at all 
times. Disinfectant programs must be updated 
periodically because new viruses get into circulation 
over time. There are some virus protection programs 
available on the Internet for free. Knowingly spreading 
a computer virus is a crime punishable by law. See 
also Trojan horse and worm. 


virus signature 


The binary pattern of a virus, used by the antivirus 
program to detect and eliminate the virus. 


Intended virus 


This file/sector contains a program that "intends" to be 
a virus. It searches and tries to hit the files or sectors 1 
but fails, or the second generation of that "virus" can 
not replicate. Often these files are modified viruses or 
viruses that were compiled from not well debugged 
source files. 


virus definitions 


The list of viruses that the anti-virus program has the 
ability to detect. Anti-virus software companies usually 
post 'virus definitions' updates on their web sites. 


virus hoax 


A hoax is generally an email or newsgroup posting 
claiming that a new virus threat has been created 
when in fact it does not exist. The intent of the 
message is to scare other users into forwarding the 
false information to others, effectively spreading the 
hoax. If you receive a message about a virus from 
email or from a newsgroup contact either your IT/MIS 
department or the manufacturer of your anti-virus 
program before forwarding the message. 
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Protect Your Business From Virus 

Attacks. Get a Free Evaluation Now! 



Virus.LSpywareRemoval 

Home, Office, Anywhere in USA 
certified tech on-site Today! 



Iop_Rated_Spyware_Removex 
Free Scan, awarded Spyware and 
Trojan removal - Download Now! 
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virus 

A program or piece of code that is 
loaded onto your computer without your 
knowledge and runs against your wishes. 
Viruses can also replicate themselves. 
All computer viruses are manmade. A 
simple virus that can make a copy of 
itself over and over again is relatively 
easy to produce. Even such a simple 
virus is dangerous because it will 
quickly use all available memory and 
bring the system to a halt. An even more 
dangerous type of virus is one capable of 
transmitting itself across networks and 
bypassing security systems. 

Since 1987, when a virus infected 
ARPANET , a large network used by the Defense Department and many universities, many 
antivirus p ro grams have become available. These pro grams periodically check your com puter 
s ystem for the best-known types of viruses. 

Some people distinguish between general viruses and worms. A worm is a special type of 
virus that can replicate itself and use memory, but cannot attach itself to other programs. 
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Barracuda Networks: Virus Protection - Manufactures spam firewall products for 
enterprise email protection. Anti-spam networking appliance filters email without 
affecting the server. 

Essential Security Software: Virus Protection Software - Offers security 
software solutions for personal computers and small networks, including encryption 
and secure delivery of email and documents. 

RAE Internet: Virus Protection - Offers anti-virus and email security software 
solutions, including virus protection and spam protection for email servers. 
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For internet com pages about virus 
CLICK HERE. Also check out the 
following links! 
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AVP Virus Ency clo pedia 

The AVP Virus Encyclopedia contains over 2300 computer virus 
descriptions accessible by keyword search or alphabetical index. 
The AVP Virus Encyclopedia is also available as a freeware 
distribution. 

Downloadable virus scanning software £fc 

Provides links to downloadable software for virus scanning. 
Included are VirusScan and TBAV for Windows, and F-PROT. 

eSecurity Planet £/c 

A resource for daily information on e-security targeted to IT 
managers. The site provides users with information from a variety 
of sources, including experts at security product and services 
firms, and the consultants who follow the security industry. 

McAfee virus information home page £fc 

McAfee Associates specializes in network and security 
management. This page displays company news and product 
information, as well as links to virus descriptions and online 
technical support. 

PC Housekeeping: Optimize With Maintenance £fc 

Spring cleaning isn't just for dusty closets, and it isn't just for 
spring. Do you know what to do to keep your PC running at peak 
performance? Why not learn? 

S ymantec Antivirus Research Center $fc 

The Symantec Antivirus Research Center offers a wealth of 
information on viruses. It begins with a list of hot topics (new 
virus and virus products), and also provides links to virus alerts, 
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an information database, references, submit virus samples, 
Macintosh viruses, and Symantec virus product information. 

The CERT/CC Home Pag e £/c 

Learn about the organizations mission and get up-to-date security 
information, security alerts and training information. 

CIAC Virus Myth and Hoaxes Site 

Created as a public service by the Computer Incident Advisory 
Capability (CIAC) to educate people about virus myths and 
hoaxes. 

Computer Virus Myths 

Contains information about the newest hoaxes as well as 
background on computer viruses and myths, opinions and 
editorials, and recommended books and Web sites. 

Dr. Solomon's computer virus information site 

This site is dedicated to users of Dr. Soloman's virus and 
information technology security products, and provides links to a 
virus information center, product and company information, and 
related Web links. 

Hartmann's In-The-Wild Macro Virus List 
Describes macro viruses reported by anti-virus software 
manufacturers. 

How a Computer Virus Works 

Explains the different types of viruses and how they work. 

Overview of computer viruses and anti-virus software 

Explains how viruses work and provides links to additional 
information about viruses and anti-virus software. Written and 
maintained by Bob Kanish. 

SecurityTracker.com 

Information on the latest security vulnerabilities, free 
SecurityTracker Alerts, and customized vulnerability notification 
services. 

Virus Info Database 

This is Symantec's Virus Info Database. You can search for a virus 
by name or refer to general virus information. 

Virus Information Index 

An alphabetical list of virus names which link to a summary and 
virus details. 



VIRUS-L/comp.virus FAQ 

Answers some frequently asked questions about computer 
viruses. This FAQ has been compiled by some of the main 
contributors to the Virus-L mailing list and its USENET news fan- 
out, comp. virus. 

What Kee ps Com puters Safe 

Here's the scoop on the differences between hardware and 
software firewalls, virus protection, and why you need them. 



Microsoft Getting Organized: Virus Protection - Microsoft's free "Slice the 
Spam" audio course details how Microsoft(R) Office Outlook(R) 2003 can help 
eliminate junk e-mail. 

AdvisorMail: Virus Protection Software - Offers email storage, IM storage and 
monitoring solution. Searchable database allows retrieval of company emails, 
attachments and instant messages. 

Everyone.net: Email Virus Protection - Teamed with Sophos to provide up-to-date 
virus and hoax protection to its Business Mail users. 

Platform Logic: Virus Protection - Offers AppFire, virus protection software, 
designed to prevent attacks from known and unknown viruses and malicious insiders. 

eBay: Virus Protection Software - Online marketplace for buying and selling virus 
protection software. 
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